Which marker is placed in the first byte of a FAT directory entry to indicate that a file has been deleted?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

Which marker is placed in the first byte of a FAT directory entry to indicate that a file has been deleted?

Explanation:
In FAT directory entries, a deletion is signaled by a flag in the first byte of the entry. When a file is deleted, that first byte is replaced with 0xE5, marking the entry as deleted while leaving the rest of the entry’s data intact for possible recovery. This is why forensic analysis can often recover the filename and other details even after deletion, unless those bytes have been overwritten. The alternative 0x00 indicates a free (unused) directory entry, not a deleted one. The other values aren’t standard markers for deletion in FAT directory entries.

In FAT directory entries, a deletion is signaled by a flag in the first byte of the entry. When a file is deleted, that first byte is replaced with 0xE5, marking the entry as deleted while leaving the rest of the entry’s data intact for possible recovery. This is why forensic analysis can often recover the filename and other details even after deletion, unless those bytes have been overwritten. The alternative 0x00 indicates a free (unused) directory entry, not a deleted one. The other values aren’t standard markers for deletion in FAT directory entries.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy